cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5938
Views
0
Helpful
11
Replies

Creating Remote VPN Redundancy with 2 ISPs on ASA running 8.3

rammany19
Level 1
Level 1

hello

i need help in setting up remote VPN connection with two ISPs (redundancy), so that remote VPN client will only have one connection but the two ISPs will be bind to one another.

i can do it on previous IOS but things changed in ASA 8.3, plz help.

1 Accepted Solution

Accepted Solutions

Hi,

If you follow the post, you will find that "tunnel-group" is a global command which is not defined to any specific interface.

You basically need to add the same crypto map to both interfaces, as follows:

crypto map backup_map interface outside

crypto map backup_map interface backup

crypto isakmp enable outside

crypto isakmp enable backup

The only difference is related to NAT statements, reason why I included the pre-NAT post in my previous note.

Thanks.

View solution in original post

11 Replies 11

Hi,

Could you please explain a little bit further?

The commands from 8.2 to 8.3 (except for NAT) are the same, they change on 8.4.

Thanks.

Hi,

in our HQ, we have two ISPs (Primary ad Backup) and remote VPN client is setup on the primary ISP public IP Address but what we want is "Redundancy for VPN users" so that they have they have redundancy over the two link (primary and backup) link.

When VPN users are connecting via remote client, it should show one IP Address but working as failover with the same "preshared key and group".

How do this setup in 8.3?

case study below:

https://supportforums.cisco.com/community/netpro/security/vpn/blog/2011/04/25/ipsec-vpn-redundancy-failover-over-redundant-isp-links

Thanks for the explanation.

The configuration on the HQ FW is the same, the crypto commands do not change... Just make sure you adjust you NAT rules:

https://supportforums.cisco.com/docs/DOC-9129

On the other hand, on the IPsec client you must add the Backup IP in the backup peer IP field:

As you can see the 2.2.2.2 IP is the main connection and the 3.3.3.2 is the backup.

Please keep in mind, that by default the client will take up to 90 seconds to identify the network issue, you can change from 30 to 90 sec.

Transport --->      "Peer response timeout (seconds)" field.

And also the client will not auto-reconnect the session, the user must re-initiate it and enter the credentials if configured.

Please let me know if you still have any questions.

Thanks.

Hello,

i dont think the crypto are the same with the case study i placed earlier in my post, below is my crypto command that was placed in my router using ASDM to setup the "remote access vpn";

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route

crypto map backup_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map backup_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 30

!

webvpn

group-policy vpnuser internal

group-policy vpnuser attributes

vpn-tunnel-protocol IPSec

default-domain value greenhouse.com

username johndoe password BoEFKkDtbnX5Uy1Q encrypted privilege 15

username ciscotest password JJaHPqq1Y/NT0F5a encrypted privilege 15

tunnel-group vpnuser type remote-access

tunnel-group vpnuser general-attributes

address-pool GREENHOUSEVPNPOOL

default-group-policy john doe

tunnel-group vpnuser ipsec-attributes

pre-shared-key *****

so, where do i apply the second interface here in this config. i have already configure remote vpn on the primary ISP, how do i apply it to the second with the same tunnel group and preshared key in 8.3?

Hi,

If you follow the post, you will find that "tunnel-group" is a global command which is not defined to any specific interface.

You basically need to add the same crypto map to both interfaces, as follows:

crypto map backup_map interface outside

crypto map backup_map interface backup

crypto isakmp enable outside

crypto isakmp enable backup

The only difference is related to NAT statements, reason why I included the pre-NAT post in my previous note.

Thanks.

Hello Javier,

Thanks for figuring this out but what do you mean by NAT statement? i have already configured PAT for inside users and SLA tracking for both ISPs.

is there any special NAT i need to configure?

Thanks

  Hello ,

I mentioned the NAT rules just in case you would have any doubts.

I do understand that you have the PAT settings, please make sure you have the identity NAT rules to allow the VPN traffic, in 8.2 and previous it was called NAT Exempt.

Otherwise, you will be able to connect but unable to access any internal resources.

Please let me know if you have any questions.

Thanks.

Please do not hesitate to rate a post if you find it helpful.

yes Javier, it work using the crypto backup config u stated earlier, but the link will disconnect and we had to reconnect again.

we looking foa a way where it will switch like IP SLA automatically, can you suggest what can do that?

Thanks

As per design the IPsec client will not reconnect the session, if the headend fails it will simply drop the connection.

Some people try with DDNS, so you could bind two public IP to one name, but you will need to contact your ISP for this service.

But again, the client will drop the connection and a new connection will need to be established.

Sent from Cisco Technical Support Android App

Hello,

Thanks for your reply, but which of tthe VPN Technology listed below can i achieve the failover?

1. Anyconnect

2. SSL VPN

thanks

There is an option to use a VPN cluster, but for this you will need a third-public IP address (cluster IP).

Please check this link:

Remote VPN Client Load Balancing on ASA 5500 Configuration Example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805fda25.shtml

ASA VPN Load Balancing/Clustering with Digital Certificates Deployment Guide

https://supportforums.cisco.com/docs/DOC-5964

The 1st one is for IPsec clients and AnyConnect (cause the cluster configuration is the same).

The 2nd one is more dedicated to AnyConnect / SSL.

Please review them and let me know.

Thanks.

Please rate any post that you find useful.